Black Arrow Cyber Advisory 12 June 2024 – Fortinet FortiGate SSL VPN Vulnerability Leads to 20,000 Systems Being Breached by China Globally

Executive summary

The Dutch cyber security agency has recently State-sponsored threat actors backed by China have gained access to 20,000 Fortinet Fortigate systems globally between 2022 and 2023 through the Coathanger malware campaign.  The vulnerability (CVE-2022-42475) allows a malicious actor to remotely execute malicious code. The Coathanger malware is persistent and remains on the devices even after reboots and firmware and software updates. While Fortinet silently released an update to fix this vulnerability in November 2022, they did not announce this until December 2022 in which during this time 14,000 devices were backdoored.

What’s the risk to me or my business?

The vulnerability in Fortinet’s products affected by this could pose a significant risk to your organisation. If exploited it could allow an attacker to remain in the product even after reboots and firmware updates. It also could allow an attacker to remotely execute malicious code. This could compromise the confidentiality, integrity, and availability of your organisation’s data

What can I do?

The vulnerability is difficult to identify and remove even if the patch has been installed to fix this vulnerability, indicators of compromise can be found in the link below. If you are unsure of what to do, please contact Black Arrow for further help and guidance.

Technical Summary

CVE-2022-42475: This is a heap-based buffer overflow vulnerability which may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

The affected products are:

·         FortiOS version 7.2.0 through 7.2.2

·         FortiOS version 7.0.0 through 7.0.8

·         FortiOS version 6.4.0 through 6.4.10

·         FortiOS version 6.2.0 through 6.2.11

·         FortiOS version 6.0.0 through 6.0.15

·         FortiOS version 5.6.0 through 5.6.14

·         FortiOS version 5.4.0 through 5.4.13

·         FortiOS version 5.2.0 through 5.2.15

·         FortiOS version 5.0.0 through 5.0.14

·         FortiOS-6K7K version 7.0.0 through 7.0.7

·         FortiOS-6K7K version 6.4.0 through 6.4.9

·         FortiOS-6K7K version 6.2.0 through 6.2.11

·         FortiOS-6K7K version 6.0.0 through 6.0.14

·         FortiProxy version 7.2.0 through 7.2.1

·         FortiProxy version 7.0.0 through 7.0.7

·         FortiProxy version 2.0.0 through 2.0.11

·         FortiProxy version 1.2.0 through 1.2.13

·         FortiProxy version 1.1.0 through 1.1.6

·         FortiProxy version 1.0.0 through 1.0.7

Further information from the National Cyber Security Centre can be found here:

https://www.ncsc.nl/actueel/nieuws/2024/juni/10/aanhoudende-statelijke-cyberspionagecampagne-via-kwetsbare-edge-devices

Further information on the FortiGuard Advisory can be found here:

https://www.fortiguard.com/psirt/FG-IR-22-398

Further information on the Indicators of compromise can be found here:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity